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1 DETAILED ACTION 

2 

3 Continued Examination Under 37 CFR 1.114 

4 

5 A request for continued examination under 37 CFR 1.114, including the fee set 



6 forth in 37 CFR 1 .17(e), was filed in this application after final rejection. Since this 

7 application is eligible for continued examination under 37 CFR 1 . 1 1 4, and the fee set 

8 forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action 

9 has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 
1 0 9/22/2006 has been entered. 



11 

1 2 This action is in response to the communication filed on 9/22/2006. 

1 3 All objections and rejections not set forth below have been withdrawn. 

14 Claims 1,4-12, 16-21, and 24-28 are pending. 
15 

16 Specification 

17 

1 8 The specification is objected to as failing to provide proper antecedent basis for 



1 9 the claimed subject matter. See 37 CFR 1 .75(d)(1 ) and MPEP § 608.01 (o). Correction 

20 of the following is required: Regarding claims 1,12, and 21 , Applicant has not pointed 

21 out where the amended claim is supported, nor does there appear to be a written 
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1 description of the claim limitation 'wherein one or more predetermined symbols are 

2 removed without replacement from the data input' in the application as filed." 
3 



4 Claim Rejections - 35 USC § 112 

5 

6 The following is a quotation of the first paragraph of 35 U.S.C. 112: 

7 The specification shall contain a written description of the invention, and of the manner and process of 

8 making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the 

9 art to which it pertains, or with which it is most nearly connected, to make and use the same and shall 
1 0 set forth the best mode contemplated by the inventor of carrying out his invention. 

11 

12 Claim 1, 4-12, 16-21, and 24-28 rejected under 35 U.S.C. 112, first 



1 3 paragraph, as failing to comply with the written description requirement. The 

14 claim(s) contains subject matter which was not described in the specification in such a 

15 way as to reasonably convey to one skilled in the relevant art that the inventor(s), at the 

16 time the application was filed, had possession of the claimed invention. Specifically, 

17 support is lacking for the new limitations, recited within claims 1, 12, 21, as filed. See 

1 8 above objection to the specification. 
19 



20 Claim Rejections - 35 USC § 101 

21 

22 35 U.S.C. 101 reads as follows: 

23 Whoever invents or discovers any new and useful process, machine, manufacture, or composition of 

24 matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the 

25 conditions and requirements of this title. 

26 

27 Claims 21 and 24-28 are rejected under 35 U.S.C. 101 because the claimed 



28 invention is directed to non-statutory subject matter. Claims 21 and 24-28 pertain 
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1 to carrier waves bearing instructions. Claims reciting a signal encoded with descriptive 

2 material fails to fall within any of the categories of patentable subject matter set forth in 

3 35 USC §101. 
4 



5 Claim Rejections - 35 USC § 103 

6 

7 The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 

8 obviousness rejections set forth in this Office action: 

9 (a) A patent may not be obtained though the invention is not identically disclosed or described as set 

1 0 forth in section 1 02 of this title, if the differences between the subject matter sought to be patented and 

11 the prior art are such that the subject matter as a whole would have been obvious at the time the 

1 2 invention was made to a person having ordinary skill in the art to which said subject matter pertains. 

1 3 Patentability shall not be negatived by the manner in which the invention was made. 

14 

15 Claims 1, 4-12, 16-21, and 24-28 are rejected under 35 U.S.C. 103(a) as 

16 being unpatentable over Scott et al. (Scott), "Abstracting Application-Level Web 

1 7 Security" in view of Wheeler, Secure Programming for Linux and Unix HOWTO . 

18 

19 Regarding claim 1, Scott discloses: 

20 receiving data input through a web page from a client device (fig. 1 , page 2, col. 

21 1 , par. 3-6); referencing a declarative module to determine a client input security screen 

) 

22 to apply to the data input from the client device (page 3, col. 2, par. 2); 

23 wherein the declarative module comprises: 

24 a global section that includes at least one client input security screen that applies 

25 to any type of client input value (fig. 2; page 6, col. 1 , par. 1 , 2, par. 2, lines 9-1 3). Scott 
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1 discloses input security screens (i.e. a transformation screen) that are applied to all user 

2 input (parameters values); 

3 an individual values section that includes at least one client input security screen 

4 that applies to a particular type of client input value (fig. 2; page 4, col. 1 ). Herein, Scott 

5 discloses screens for screening particular types of client input values (i.e. cookies, urls, 

6 other parameters). Thus Scott discloses an individual values section. 

7 and applying multiple client input security screens to the data input from the client 

8 device (page 3, col. 2, par. 2; fig. 2), including at least one client input security screen 

9 from the global section of the declarative module and at least one client input security 

1 0 screen from the individual values section of the declarative module, wherein the client 

1 1 input security screens are distinct from one another (page 3, col. 2, par. 1 , 2; fig. 2). 

12 Herein, Scott discloses separate screens. 

1 3 Scott discloses the application of a plurality of validation and transformation 

14 screens to the input data of a client. The system of Scott thus provides protection 

15 against security attacks, for example - malicious scripting attacks as revealed by CERT 

16 Advisory [CA-2000-02] (Scott, pg. 2, "Cross-Site Scripting"). However, regarding such 

17 validation and transformation screens, Scott does, not explicitly state wherein one or 

1 8 more predetermined symbols are removed without replacement from the data input. 

19 Nevertheless, the examiner points out that when protecting against security 

20 attacks, such as malicious scripting attacks, the notion of [removing] one or more 

21 predetermined symbols. ..without replacement from the data input was well known to 

22 those ordinary skill in the art. Applicants may refer to their own admission of such. 
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1 Specifically, Applicants state that prior art systems combat security attacks by 

2 "discarding" (removing without replacing) or "altering" (removing and replacing) one or 

3 more predetermined symbols (Instant Application, par 6). 

4 Similar to Scott, Wheeler discloses security methods to validate and transform 

5 client input data so as to protect against the types of security attacks as revealed by, 

6 CERT Advisory [CA-2000-02] (Wheeler, 6.15.1 "Explanation of the Problem"; 

7 4:"Validate All Input; 6.15:"Prevent Cross-Site Malicious Content - 6.1 5.2-3:" Identifying 

8 Special Characters", "Filtering", "Encoding"). Wheeler discloses as advantageous, that 

9 when preventing security attacks, a system should perform the methods of filtering data 

10 (removing), encoding data (removing and replacing), and validating data (allowing only 

1 1 valid data to pass) (Wheeler, 6.15.2, "Solutions to Cross-Site Malicious Content"). 

12 It would have been obvious to one of ordinary in the art to employ the method 

1 3 wherein one or more predetermined symbols are removed without replacement from the 

14 data input as taught by Wheeler within the system of Scott. This would have been 

15 obvious because one of ordinary skill in the art would have been motivated by the 

16 advantages of security and flexibility to incorporate the various well known and 

17 suggested methods taught by Prior art as being effective against security attacks. 
18 

1 9 Regarding claim 4, the combination discloses: 

20 wherein the particular type of client input value is one of the following types of 

21 client input values: query string; server variable; form value; cookie (Scott, fig. 2). 
22 
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1 Regarding claim 5, the combination discloses: 

2 wherein the declarative module further comprises a web.conftg file (Scott, page 

3 1, col. 2, par.3; page 3, col. 2, par. 1). 
4 

5 Regarding claim 6, the combination discloses: 

6 wherein the applying the client input security screen further comprises executing 



7 a default action on invalid client input detected by the client input security screen (Scott, 

8 page 3, col. 2, par. 1 , lines 8-13, par. 2, lines 5-1 1 ; page 4, col. 2, par. 3,4). Scott 

9 discloses the application of several types of input screening to all input data (default 

10 screening) wherein actions are performed on the all the input data during the process of 

1 1 data input security screening. Additionally, Scott discloses default transformations that 

12 can be applied during the screening of invalid input data. 
13 

14 Regarding claim 7, the combination discloses: 

1 5 wherein the applying the client input security screen further comprises executing 

1 6 a specified action on invalid client input detected by the client input security screen, the 

1 7 specified action being specified in the client input security screen (Scott, page 4, col. 1 , 

18 par. 4-6). 
19 

20 Regarding claim 8, the combination discloses: 

21 wherein a client input security screen further comprises one or more values that 

22 may be entered as client input the one or more values further comprising the only 



Application/Control Number: 10/606,089 Page 8 

Art Unit: 2137 

1 values that may be entered as client input (Scott, page 4, col. 1 , par. 4-6). Scott 

2 discloses a security screen that constrains client input to a set of values, such as any 

3 integer: 0 - int [length 4]. Thus, the security screen effectively comprises the values of 

4 0 - int [length 4] to be imposed upon the client input as a restriction. Additionally, Scott 

5 discloses that the security screen comprises specific URL values (extracted from HTTP 

6 requests) that may be entered as client input (Scott, page 6, col. 2, par. 1). 
7 



8 Regarding claim 9, the combination discloses: 

9 wherein a client input security screen further comprises one or more screened 

1 0 values that, when detected in the client input cause an action to be taken on the client 

1 1 input (Scott, fig. 4; page 3, col. 2, par. 2; page 4, col. 2, par. 3). 
12 

13 Regarding claim 10, the combination discloses: 

1 4 wherein the action to be taken further comprises removing the one or more 



1 5 screened values detected in the client input (Scott, fig. 4; page 3, col. 2, par. 2; page 4, 

16 col. 2, par. 3, 4). Scott discloses the encoding of screened values (removal and 

17 replacement). Additionally, Scott discloses the removal of values from client input 

18 based upon the client input security screen (Scott, page 7, col. 2, par. 1.1 - 1.2) 
19 

20 Regarding claim 1 1 , the combination discloses: 
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1 wherein the action to be taken further comprises removing an entire string that 

2 contains the one or more screened values detected in the client input (Scott, page 6, 

3 col. 2, par. 3; fig. 5; page 9, col. 1, par. 2.2). 
4 

5 Regarding claim 12, it is the system claim corresponding to the method claim 1 , 

6 and is rejected for, at least, the same reasons, and furthermore because Scott 

7 discloses: 

8 a web page server unit configured to provide one or more web pages to one or 

9 more client devices over a distributed network (Scott, fig. 1 ). 
10 

1 1 Regarding claim 16, the combination discloses: 

1 2 wherein a screening rule further comprises a client input variable that may be 

1 3 accepted as input from a client (Scott, fig. 5). Scott discloses various screening rules 

14 that accept client input variables. 
15 

16 Regarding claim 17, the combination discloses: 

1 7 wherein a screening rule further comprises one or more screened characters 

1 8 that, when detected in client input, are screened from the client input according to a 

1 9 screening rule (Scott, fig. 5 - see transformation). 
20 

21 Regarding claim 18, the combination discloses: 
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1 wherein the screening rule further comprises a default screening action that is 

2 applied in the absence of a specified screening action (Scott, fig. 5 - see 

3 transformation). Scott discloses a single screening action that is to be performed, and 

4 thus, a default screening action. 
5 



6 Regarding claim 19, the combination discloses: 

7 wherein the screening rule further comprises a specified screening action that is 

8 applied to the screened client input (Scott, fig. 5 - see transformation). Scott discloses 

9 a single specific screening action that is to be performed. 
10 

1 1 Regarding claim 20, it is rejected, at least, for the same reasons as claim 5. 
12 

13 Regarding claim 21 , it is rejected, at least, for the same reasons as claim 1 , and 

14 furthermore because the combination discloses: 

1 5 serving a web page to a client over a distributed network; receiving client input 



16 via the web page (Scott, fig. 1 , page 2, col. 1 , par. 3-6); comparing the client input with 

1 7 multiple and distinct client input security screens stored in a security declarative module; 

1 8 wherein the security declarative module includes a global section configured to screen 

1 9 all types of client input values and an individual values section configured to screen 

20 particular types of client input values (see rejection of claim 1 ); if invalid client input is 

21 detected, performing a screening action on the invalid client input as indicated by the 

22 security declarative module (Scott, page 3, col. 2, par. 2; page 4, col. 2, par. 3; page 6, 
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1 col. 1 , par. 1 , 2; fig. 5); and wherein the client input security screens included in the 

2 security declarative module can be applied to multiple web pages (Scott, page 4, col. 1 , 

3 par. 2). 

4 Furthermore, Scott discloses a computer system, and thus discloses media and 

5 instructions (Scott, fig. 1). 
6 

7 Regarding claims 24 and 25, they are the media and instruction claims 

8 corresponding to the method and system claims of 5 - 7, 18, and 19, and they are 

9 rejected for, at least, the same reasons. 
10 

1 1 Regarding claim 26, the combination discloses: 

1 2 wherein the screening action further comprises a default action that is not 

1 3 required to be specified in a client input security screen (Scott, page 6, col. 1 , par. 1 , 2). 
14 

15 Regarding claims 27 and 28, the combination discloses: 

1 6 wherein the multiple web pages are included in a web project and wherein the 



1 7 multiple web pages are included in a web-based application (Scott, Abstract; 

18 Introduction; fig. 1; section 3.1; page 4, col. 1, par. 2; page 6, col. 1, par. 2, col. 2, par. 

19 1 ). Scott discloses a security policy to be applied to a large web-application, the policy 

20 comprising rules for the web pages of a site. The web pages are associated with a web 

21 application, thus, they are included in a web project/application. 
22 
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1 

2 Response to Arguments 

3 

4 Applicant's arguments with respect to the above rejected claims have been 

5 considered but are moot in view of the new ground(s) of rejection. 
6 

7 Furthermore, Applicant's arguments filed 9/22/2006 have been fully considered 

8 but they are not persuasive. 
9 

1 0 Applicants argue primarily that: 

11 

12 (i) Furthermore, Scott is completely lacking ...the subject matter of claim 1 . The 

1 3 immediately foregoing deficiency of Scott has been argued previously in the prosecution 

14 of this matter and is not reiterated here in the interest of brevity. 
15 

16 In response, the examiner respectfully refers the applicant to the examiner's 

17 previous responses to such argument and any such similar argument regarding the 

1 8 screening of all input and the screening of individual types of input. 
19 

20 Conclusion 

21 
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1 



The prior art made of record and not relied upon is considered pertinent to 



2 



applicant's disclosure. 



3 



See Notice of References Cited. 



4 



5 



A shortened statutory period for reply to this final action is set to expire THREE 



6 MONTHS from the mailing date of this action. In the event a first reply is filed within 

7 TWO MONTHS of the mailing date of this final action and the advisory action is not 

8 mailed until after the end of the THREE-MONTH shortened statutory period, then the 

9 shortened statutory period will expire on the date the advisory action is mailed, and any 

10 extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 

1 1 the advisory action. In no event, however, will the statutory period for reply expire later 

12 than SIX MONTHS from the mailing date of this final action. 
13 

14 Any inquiry concerning this communication or earlier communications from the 

1 5 examiner should be directed to Jeffery Williams whose telephone number is (571 ) 272- 

16 7965. The examiner can normally be reached on 8:30-5:00. 

1 7 If attempts to reach the examiner by telephone are unsuccessful, the examiner's 

1 8 supervisor, Emmanuel Moise can be reached on (571 ) 272-3865. The fax phone 

1 9 number for the organization where this application or proceeding is assigned is 571 - 

20 273-8300. 
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1 Information regarding the status of an application may be obtained from the 

2 Patent Application Information Retrieval (PAIR) system. Status information for 

3 published applications may be obtained from either Private PAIR or Public PAIR. 

4 Status information for unpublished applications is available through Private PAIR only. 

5 For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 

6 you have questions on access to the Private PAIR system, contact the Electronic 

7 Business Center (EBC) at 866-21 7-91 97 (toll-free). If you would like assistance from a 

8 USPTO Customer Service Representative or access to the automated information 

9 system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
10 
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14 
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